1. Field of the Invention
The invention relates to file access control in a multi-protocol file server.
2. Related Art
In an integrated computer network, it is desirable for multiple client devices to share access to the same files. One known method is to provide a network file server for storing files, capable of receiving and responding to file server requests from those client devices. These file server requests are made using a file server protocol, which is recognized and adhered to by both the file server and the client device. Because the files are stored at the file server, multiple client devices have the opportunity to share access to the same files.
In a file system intended for use by more than one user, it is desirable to restrict access by programs to files in the file system. Restricting access includes at least the aspects of (1) user authenticationxe2x80x94determining that requesting users are truly who they say they are, and (2) access control validationxe2x80x94determining that an authenticated user is allowed to access a particular file in a particular way. When the file system is maintained on a file server remote from the user making the request, there is an additional aspect of the access control protocolxe2x80x94what requests can be made by the user to access files or to set access control for files.
One problem in the known art is that there are multiple diverse models for access control validation, each typically associated with a particular file system, and there are multiple diverse access control protocols, each typically corresponding to a model for access control validation. Despite the differences between these models and protocols, the file server should respond to file server requests from each user, and should exhibit access control validation behavior, consistent with each user""s model and without security violations or surprises for users.
For example, a first access control model in common use is associated with the Unix operating system (or a variant thereof). This first access control model associates permissions with each file for a file owner, an owner""s group, and all other users. These permissions allow access (for the owner, group, or all other users) to read, write, or execute the indicated file. This first access control model is typically implemented by the NFS (xe2x80x9cNetwork File Systemxe2x80x9d) file server protocol, possibly augmented with an adjunct file-locking protocol, NLM (xe2x80x9cNetwork Lock Managerxe2x80x9d). A second access control model in common use is associated with the Windows NT operating system. This second access control model associates an ACL (access control list) with each file, each entry in the ACL specifying an individual user, a group of users, or all users. Each entry can allow access (for the specified users) to read, write, or execute the indicated file, or can specifically deny access. This second access control model is typically implemented by the CIFS (xe2x80x9cCommon Internet File Systemxe2x80x9d) protocol. However, NT devices can also use the NFS protocol by means of the xe2x80x9cPC NFSxe2x80x9d implementation, and Unix devices can also manipulate POSIX ACLs. These two access control models in common use differ in significant ways, including (1) what permissions can be assigned to a file, (2) with what granularity of specificity permissions can be assigned, and (3) how users are identified so as to match them with permissions.
One method known in the art is to provide a multi-protocol file server that maps all security semantics to that of a single native operating system for the file server, and uses that single native operating system to validate file access control. The xe2x80x9cSambaxe2x80x9d system and similar emulation packages are believed to use this known method. This known method has the drawback that it can result in security errors or surprises for those client devices using security semantics other than the file server""s native operating system.
Another method known in the art is to provide a multi-protocol file server that supports differing types of security semantics for differing files, but attempts to validate file access control for each user using the user""s access control model. Some xe2x80x9cNetwarexe2x80x9d products available from Novell Corporation are believed to use this known method. This known method has the drawback that the user""s access control model can differ significantly from the access control model set for the file, resulting in security errors or surprises for those client devices using security semantics other than associated with the target file.
Accordingly, it would be desirable to provide a method and system for enforcing file security semantics among client devices using multiple diverse access control models and multiple diverse file server protocols. This advantage is achieved in an embodiment of the invention in which a multi-protocol file server identifies each file with one particular access control model out of a plurality of possible access control models, and enforces that particular access control model for all accesses to that file. When the file server receives a file server request for that file using a file server protocol with a different access control model, the file server translates the access control limits imposed by the file""s access control model into no-less-restrictive access control limits in the different access control model. The file server restricts access to the file using the translated access control limits.
The invention provides a method and system for enforcing file access control among client devices using multiple diverse access control models and multiple diverse file server protocols. A multi-protocol file server identifies each file with one particular access control model out of a plurality of possible models, and enforces that one particular model for all accesses to that file. When the file server receives a file server request for that file using a different access control model, the file server translates the access control limits for that file into no-less-restrictive limits in the different model. The file server restricts access by the client device using the translated access control limits.
In a preferred embodiment, each file is assigned the access control model of the user who created the file or who last set access control limits for the file. When a user having a different access control model sets access control limits, the access control model for the file is changed to the new model. Files are organized in a tree hierarchy, in which each tree is limited to one or more access control models (which can limit the ability of users to set access control limits for files in that tree). Each tree can be limited to NT-model-only format, Unix-model-only format, or mixed NT-or-Unix-models format.